[request] authentication signature validation

[ahmadnassri]

unlike the full scope of an oauth system/plugin, the only thing this plugin would do is validate the Authorization token headers against a known public/private key.

we could extend this a bit further to make it a bit more generic, by allowing to configure the schema of the header (regex)

e.g. an example of "oAuth Lite"

header_format = /oauth_token="(.+)"/g

would extract 370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb from:

Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", 
              oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", 
              oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", 
              oauth_signature_method="HMAC-SHA1", 
              oauth_timestamp="1318622958", 
              oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb", 
              oauth_version="1.0"

[nijikokun]

👍 OAuth 1.0a validation only or 2.0 as well?

[ahmadnassri]

👍 OAuth 1.0 validation only or 2.0 as well?

it shouldn't matter, if allowing to extract tokens from headers using a regex (e.g. header_format) then in theory can support any "signing" method. be it oauth, or otherwise.

in the case of oAuth the "method" would be HMAC-SHA1